>I was hoping there would be an easy solution from a user point of >view, but I guess not.
Lets see how well this one holds up:
I put this on my form display page:
<cfset variables.myUUID=CreateUUID()>
<cfset client.OriginalFormStamp=variables.myUUID>
and this:
<input
type="hidden"
name="FormUID"
value="#Hash(variables.FormUID)#">
Note the value in the hidden-in-plain-sight form field is hashed.
Then, on the form processor I first run a referrer test. As has been stated this has some definite holes in it, but I feel obligated to go thru the motion, anyway.
If it gets past the referrer test, I then do this:
<cfif CompareNoCase(form.formUID,Hash(client.OriginalFormStamp))>
<!--- no match. fall down and go boom --->
</cfif>
So unless there is a hole here that I've missed, the form ID can be faked, but should not be able to get past the validation check on the other side; assuming I haven't done something loony like store my client vars in cookies.
--
-------------------------------------------
Matt Robertson, [EMAIL PROTECTED]
MSB Designs, Inc. http://mysecretbase.com
-------------------------------------------
--
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
